SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
PINs and needled: Experian site blabbed codes to unlock credit accounts for fraudsters
Experian's website exposed to world-plus-dog the PINs needed to unlock frozen accounts, allowing crooks to potentially apply for loans and credit cards as their victims.
The credit-monitor agency lets people freeze their account using a PIN that has to be submitted in when applying for stuff like loans: it's a mechanism that's supposed to stop fraudsters from exploiting stolen personal information, such as names and social security numbers, to obtain credit using someone else's identity.
However, according to financial advice site Nerdwallet this month, the credit monitoring agency had a glitch in its online account recovery process that, when exploited, could leak a stranger's recovery PIN. A miscreant could then use that number to reverse an account freeze and free up funds for plundering.
The (since fixed) bug would allow anyone who knew a person's name, address, social security number, and date of birth to have a PIN cod[sic] sent to an email address of the attacker's choosing. Recovery questions designed to prevent account theft could be circumvented by setting all answers to "none of the above."
"The form required an email address, which didn't necessarily have to be the one associated with the person's Experian account," Nerdwallet explained.
"Answering 'none of the above' to the security questions — even if some of the proffered answers were correct — gave access to that person's PIN."
Armed with that PIN, the attacker would then be able to break the credit freeze and apple to open new accounts in the victim's name. This is particularly bad in the case of Experian, as one of the main reasons for setting up a credit freeze is to mitigate the leak of precisely the private information – social security number, and date of birth – used to retrieve the PIN.
[...] Though there is no indication that the flaw was ever actively abused, the findings will no doubt cause discomfort for the millions of people who have had to freeze their credit in recent years due to data breaches, including one at Experian in 2015 that involved the records of 15 million T-Mobile US customers.
(Score: 2, Disagree) by Thexalon on Thursday October 11 2018, @09:12PM (3 children)
Identity theft is simply one kind of fraud. And it can be more than just obtaining a fraudulent loan - for instance, a convicted criminal could steal someone else's identity in order to get a job or avoid the consequences of being on the sex offender registry by pretending to be someone with a clean record.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Touché) by sjames on Thursday October 11 2018, @10:02PM (2 children)
The trickery is that by claiming that the simple fraud is somehow "identity theft" against the 3rd party that still has their identity and knew nothing about it, it pushes the losses their way instead of keeping them firmly between the fraudster and the negligent company that was defrauded.
I used bank loans and/or credit cards because it makes the illustration easier. If someone uses your name to get a loan, you have no part in it. It is not ethically appropriate to put the onus on you to prove it was fraud or to clean up your credit history. The onus is on the bank that handed out the money without checking to show who they actually gave it to and to not libel or slander you in the process (by making the false claim that you didn't pay back a loan, for example).
Just look at all the commercials for 'identity theft protection'. as if the crime is against me or that I have some responsibility to stop it. Under any ethical system, it isn't and I don't. Any attempt to make it my problem is strictly unethical, and if the courts were even trying to serve justice, those attempts would be punished.
(Score: 2) by Thexalon on Friday October 12 2018, @01:21AM (1 child)
Identity theft is a crime against you, and also fraud against the bank/employer/landlord/whoever the thief is fooling by pretending to be you.
The damage to you isn't done when they made use of your identity. The damage happens when they screw it up. And I said "when", not "if", because (a) they screwed up enough that they decided to leave their old identity behind, and (b) they know they can escape the consequences of screwing up by assuming some other poor sap's identity. And until you do some digging, all you know is that you got fired for no obvious reason, or you couldn't rent the apartment you wanted, or nobody is willing to give you a reasonable rate on a loan.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by sjames on Friday October 12 2018, @05:23AM
The screwed up credit is the result of libel and slander committed against me by the banks and the credit agencies. Nothing more and nothing less.
If they would check their facts, there would be no adverse reports about me.